Install and configure Server instances to communicate with the backend Server instances using either SSL or StartTLS.
  1. Create a Java KeyStore (JKS) that includes a public and private key pair for a certificate that the Server instances will use to authenticate to the Directory Server instances.
    1. Run the following command in the instance root of one of the Server instances.
      $ keytool -genkeypair \
        -keystore config/proxy-user-keystore \
        -storetype JKS \
        -keyalg RSA \
        -keysize 2048 \
        -alias proxy-user-cert \
        -dname "cn=Proxy User,cn=Root DNs,cn=config" \
        -validity 7300 
    2. When prompted for a key store password, enter a strong password to protect the certificate.
    3. When prompted for the key password, press Enter to use the key store password to protect the private key.
  2. Use a text editor to create a config/proxy-user-keystore.pin file containing a single line that is the key store password provided in the previous step.
  3. If there are other Server instances in the topology, copy the proxy-user-keystore and proxy-user-keystore.pinfiles into the config directory for all instances.
  4. To export the public component of the proxy user certificate to a text file, run the following command.
    $ keytool -export \
      -keystore config/proxy-user-keystore \
      -alias proxy-user-cert \
      -file config/proxy-user-cert.txt
  5. Copy the proxy-user-cert.txt file into the config directory of all Directory Server instances.
    1. Import that certificate into each server's primary trust store by running the following command from the server root.
      $ keytool -import \
        -keystore config/truststore \
        -alias proxy-user-cert \
        -file config/proxy-user-cert.txt
    2. When prompted for the keystore password, enter the password contained in the config/truststore.pin file.
    3. When prompted to trust the certificate, enter yes.
  6. To update the configuration for each Server instance to create a new key manager provider that will obtain its certificate from the config/proxy-user-keystore file, run the following dsconfig command.
    $ dsconfig create-key-manager-provider \
      --provider-name "Proxy User Certificate" \
      --type file-based \
      --set enabled:true \
      --set key-store-file:config/proxy-user-keystore \
      --set key-store-type:JKS \
      --set key-store-pin-file:config/proxy-user-keystore.pin
  7. To update the configuration for each LDAP external server in each Server instance to use the newly-created key manager provider, and also to use SASL EXTERNAL authentication instead of LDAP simple authentication, run the following dsconfig command.
    $ dsconfig set-external-server-prop \
      --server-name ds1.example.com:636 \
      --set authentication-method:external \
      --set "key-manager-provider:Proxy User Certificate"
    After these changes, the Server re-establishes connections to the LDAP external server and authenticate with SASL EXTERNAL.
  8. Verify that the Server can communicate with all backend servers by running the bin/status command.
    All of the servers listed in the "--- LDAP External Servers ---" section are available.
  9. Review the Directory Server access log.

    The BIND RESULT log messages used to authenticate the connections from the Server include the following:

    • authType="SASL"
    • saslMechanism="EXTERNAL"
    • resultCode=0
    • authDN="cn=Proxy User,cn=Root DNs,cn=config"